SSL Configuration in Oracle Business Intelligence 5-17

5.5.6 Configuring SSL When Using Multiple Authenticators

If you are configuring multiple authenticators, and have configured an additional LDAP Authenticator to communicate over SSL one-way SSL only, you need to put the corresponding LDAP servers root certificate in an additional keystore used by the virtualization libOVD functionality. To put an LDAP server root certificate in an additional keystore used by the virtualization libOVD functionality: Note: Before completing this task, you must configure the custom property called virtualize, and set its value to true for more information, see Section 3.2.3.3, Configuring Oracle Business Intelligence to use Multiple Authentication Providers .

1. Create the keystore:

a. Set environment variables ORACLE_HOME, WL_HOME and JAVA_HOME.

For example on Windows: set ORACLE_HOME=MW_HOME\Oracle_BI1 set WL_HOME=MW_HOME\wlserver_10.3 set JAVA_HOME=MW_HOME\jdk160_24

b. Setup the keystore by running libovdconfig.sh on UNIX , or libovdconfig.bat

on Windows, using -createKeystore option. For example, on UNIX, open a shell prompt and change the directory to MW_HOMEoracle_commonbin. Then, run the following command which prompts for the Oracle Business Intelligence administrator user name and password, for example: .libovdconfig.sh -host hostname -port Admin_Server_Port -username BI Admin User -domainPath MW_HOMEuser_ projectsdomainsbifoundation_domain -createKeystore Windows location: MW_HOME\oracle_common\bin\libovdconfig.bat c. When prompted, enter the Oracle Business Intelligence administrator password, and the OVD Keystore password a new password that will be used to secure a Keystore file, created by the libovdconfig.sh -createKeystore command. Once this command runs, you should see two new credentials in the Credential Store and a new Keystore file called adapters.jks under MW_ HOME\user_projects\domains\bifoundation_ domain\config\fmwconfig\ovd\default\keystores. 2. Export the root certificate from the LDAP directory refer to your LDAP documentation on how to do this. 3. Import the root certificate to the libOVD keystore using the keytool command: MW_HOMEjdk160_24binkeytool -import -keystore MW_ HOME\user_projects\domains\bifoundation_ domain\config\fmwconfig\ovd\default\keystoresadapters.jks -storepass KeyStore password -alias alias of your choice -file Certificate filename 4. Restart WebLogic and BI System processes. 5-18 Security Guide for Oracle Business Intelligence Enterprise Edition For more information, see Oracle Fusion Middleware System Administrators Guide for Oracle Business Intelligence Enterprise Edition.

5.6 Advanced SSL Configuration Options

The default SSL configuration uses default cipher suite negotiation. You can configure the system to use a different cipher suite if your organization’s security standards do not allow for the default choice. The default choice can be viewed in the output from the SSL status report. This advanced option is not configured by the SSL Everywhere central configuration. Instead, individual components must be manually configured. If new components are added by scaling out, each additional component must be manually configured. Manual configuration involves editing of the configuration files .ini and .xml. Be careful to observe the syntactic conventions of these file types. If the files are incorrect, the corresponding component logs an error in its log file and will not start up. A manually configured SSL environment can co-exist with a default SSL configuration. To manually configure SSL cipher suite: 1. Configure SSL Everywhere by following the instructions in Section 5.4, Configuring SSL Communication Between Components . Note : Before making manual changes, invoke the SSLManualConfig MBean under BIDomain.BIInstance.SecurityConfiguration with the usual lockcommit cycle. 2. Select the desired Java Cipher Suite name from the options located at http:download.oracle.comjavase1.5.0docsguidesecurityj sseJSSERefGuide.htmlAppA . 3. Create an Open SSL Cipher Suite Name that matches the cipher suite chosen, using the list at http:www.openssl.orgdocsappsciphers.htmlCIPHER_LIST_ FORMAT . For example, Java Cipher Suite name SSL_RSA_WITH_RC4_128_SHA maps to Open SSL: RSA+RC4+SHA. 4. Edit the JavaHost configuration file located at ORACLE_ INSTANCE\config\OracleBIJavaHostComponent\coreapplication_obijh1\ config.xml and add following sub-element to JavaHostListenerSSL element. For example: EnabledCipherSuitesSSL_RSA_WITH_RC4_128_SHAEnabledCipherSuites 5. If in a clustered environment, edit the Cluster Controller configuration file located at ORACLE_ INSTANCEconfigOracleBIApplicationcoreapplicationNQClusterConfig.INI and set the SSL_CIPHER_LIST value, as in the following example: SSL_CIPHER_LIST = RSA+RC4+SHA; 6. Edit the BI Presentation configuration file located at ORACLE_ INSTANCEconfigOracleBIPresentationServicesComponentcoreapplication_ obips1instanceconfig.xml and add the attribute cipherSuites=RSA+RC4+SHA to the sub-elements WebConfigServerInstanceps:Listener and WebConfigServerInstanceps:JavaHostProxy. 7. Edit the BI Scheduler configuration file located at ORACLE_ INSTANCEconfigOracleBISchedulerComponentcoreapplication_ SSL Configuration in Oracle Business Intelligence 5-19 obisch1instanceconfig.xml add following sub-element to schedulerServerInstanceSSL. For example: CipherListRSA+RC4+SHACipherList 8. If in a clustered environment, edit the Cluster Controller configuration file located at ORACLE_ INSTANCEconfigOracleBIApplicationcoreapplicationNQClusterConfig.INI and set the SSL_CIPHER_LIST value, as in the following example: SSL_CIPHER_LIST = RSA+RC4+SHA; 9. Restart all the Oracle Business Intelligence components. For more information, see Starting and Stopping Oracle Business Intelligence System Components in Oracle Fusion Middleware System Administrators Guide for Oracle Business Intelligence Enterprise Edition. 10. Run a SSL status report to confirm SSL is enabled by following the steps in Section 5.4.6, Confirming SSL Status . 5-20 Security Guide for Oracle Business Intelligence Enterprise Edition A Alternative Security Administration Options A-1 A Alternative Security Administration Options This appendix describes alternative security administration options included for backward compatibility with upgraded systems and are not considered a best practice. This appendix contains the following sections: ■ Section A.1, Alternative Authentication Options ■ Section A.2, Alternative Authorization Options A.1 Alternative Authentication Options Several Oracle Business Intelligence legacy authentication options are still supported for backward compatibility. The best practice for upgrading systems is to begin implementing authentication using an identity store and authentication provider as provided by the default security model. An embedded directory server is configured as the default identity store and authentication provider during installation or upgrade and is available for immediate use. For more information about the default security model, see Chapter 1, Introduction to Security in Oracle Business Intelligence and Appendix B, Understanding the Default Security Configuration . Authentication is the process by which the user name and password presented during log in is verified to ensure the user has the necessary credentials to log in to the system. Oracle BI Server authenticates each connection request it receives. The following legacy authentication methods are supported by BI Server for backward compatibility in this release: ■ External LDAP-based directory server ■ External initialization block authentication ■ Table-based This section contains the following topics: ■ Section A.1.1, Setting Up LDAP Authentication ■ Section A.1.2, Setting Up External Table Authentication ■ Section A.1.3, About Oracle BI Delivers and External Initialization Block Authentication ■ Section A.1.4, Order of Authentication ■ Section A.1.5, Authenticating by Using a Custom Authenticator Plug-In ■ Section A.1.6, Managing Session Variables ■ Section A.1.7, Managing Server Sessions A-2 Security Guide for Oracle Business Intelligence Enterprise Edition A.1.1 Setting Up LDAP Authentication You can set up BI Server to pass user credentials to an external LDAP server for authentication. The legacy LDAP authentication method uses Oracle Business Intelligence session variables that you define using the Variable Manager in the Oracle BI Administration Tool. For more information about the session variables, see Using Variables in the Oracle BI Repository in Oracle Fusion Middleware Metadata Repository Builders Guide for Oracle Business Intelligence Enterprise Edition. To set up LDAP authentication: 1. Create an LDAP Server as follows:

a. Select Manage then Identity in the Administration Tool to launch the Identity